一、 漏洞 CVE-2025-3248 基础信息
漏洞信息
# Langflow 未授权远程代码执行漏洞
# 漏洞描述
## 概述
Langflow版本在1.3.0之前的版本存在代码注入漏洞。攻击者可以通过精心构造的HTTP请求,在无需身份验证的情况下,执行任意代码。
## 影响版本
- 版本:< 1.3.0
## 细节
该漏洞存在于`/api/v1/validate/code`端点中。远程且未认证的攻击者可以发送特殊构造的HTTP请求来注入并执行任意代码。
## 影响
- 远程未认证攻击
- 可以执行任意代码,进而控制服务器
提示
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
二、漏洞 CVE-2025-3248 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | A vulnerability scanner for CVE-2025-3248 in Langflow applications. 用于扫描 Langflow 应用中 CVE-2025-3248 漏洞的工具。 | https://github.com/xuemian168/CVE-2025-3248 | POC详情 |
| 2 | POC of CVE-2025-3248, RCE of LangFlow | https://github.com/PuddinCat/CVE-2025-3248-POC | POC详情 |
| 3 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-3248.yaml | POC详情 |
| 4 | None | https://github.com/verylazytech/CVE-2025-3248 | POC详情 |
| 5 | https://github.com/vulhub/vulhub/blob/master/langflow/CVE-2025-3248/README.md | POC详情 | |
| 6 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%BA%E5%B7%A5%E6%99%BA%E8%83%BD%E6%BC%8F%E6%B4%9E/Langflow%20code%20API%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2025-3248.md | POC详情 |
| 7 | Scanner and exploit for CVE-2025-3248 | https://github.com/Praison001/CVE-2025-3248 | POC详情 |
| 8 | CVE-2025-3248: A critical flaw has been discovered in Langflow that allows malicious actors to execute arbitrary Python code on the target system. This can lead to full remote code execution without authentication, potentially giving attackers control over the server. | https://github.com/vigilante-1337/CVE-2025-3248 | POC详情 |
| 9 | Perform Remote Code Execution using vulnerable API endpoint. | https://github.com/Vip3rLi0n/CVE-2025-3248 | POC详情 |
| 10 | This Python script exploits CVE-2025-3248 to execute arbitrary commands or spawn a reverse shell on a vulnerable system. Authentication is required to use this exploit. | https://github.com/tiemio/RCE-CVE-2025-3248 | POC详情 |
| 11 | CVE-2025-3248 Langflow RCE Exploit | https://github.com/ynsmroztas/CVE-2025-3248-Langflow-RCE | POC详情 |
| 12 | None | https://github.com/imbas007/CVE-2025-3248 | POC详情 |
| 13 | Exploit for Langflow AI Remote Code Execution (Unauthenticated) | https://github.com/0xgh057r3c0n/CVE-2025-3248 | POC详情 |
| 14 | CVE-2025-3248 — Langflow RCE Exploit | https://github.com/zapstiko/CVE-2025-3248 | POC详情 |
| 15 | CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage | https://github.com/B1ack4sh/Blackash-CVE-2025-3248 | POC详情 |
| 16 | Powerful unauthenticated RCE scanner for CVE-2025-3248 affecting Langflow < 1.3.0 | https://github.com/issamjr/CVE-2025-3248-Scanner | POC详情 |
| 17 | Remote Code Execution Exploit for Langflow (CVE-2025-3248) - [ By S4Tech ] | https://github.com/0-d3y/langflow-rce-exploit | POC详情 |
| 18 | CVE-2025-3248 | https://github.com/dennisec/CVE-2025-3248 | POC详情 |
| 19 | Mass-CVE-2025-3248 | https://github.com/dennisec/Mass-CVE-2025-3248 | POC详情 |
| 20 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. | https://github.com/ill-deed/Langflow-CVE-2025-3248-Multi-target | POC详情 |
| 21 | None | https://github.com/r0otk3r/CVE-2025-3248 | POC详情 |
三、漏洞 CVE-2025-3248 的情报信息
-
标题: fix: auth current user on code validation by jordanrfrazier · Pull Request #6911 · langflow-ai/langflow · GitHub -- 🔗来源链接
标签: patch
神龙速读
-
-
标题: Unsafe at Any Speed: Abusing Python Exec for Unauth RCE in Langflow AI | Horizon3.ai -- 🔗来源链接
标签: exploit
神龙速读
- https://nvd.nist.gov/vuln/detail/CVE-2025-3248
四、漏洞 CVE-2025-3248 的评论
暂无评论